Use URL safe BASE64 encoding for console access ticket generation.

2025-12-16 10:32:34 +01:00 · 2011-01-27 11:54:22 -08:00 · 2011-01-27 11:54:22 -08:00 · e7c8872651
commit e7c8872651
parent 87008ae6a9
2 changed files with 20 additions and 12 deletions
--- a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@ -706,21 +706,31 @@ public class ConsoleProxyManagerImpl implements ConsoleProxyManager, ConsoleProx
 			return new ConsoleAccessAuthenticationAnswer(cmd, false);
 		}
 		
+		if(s_logger.isDebugEnabled())
+		    s_logger.debug("Console authentication. Ticket in url for " + cmd.getHost() + ":" + cmd.getPort() + "-" + cmd.getVmId() + " is " + ticketInUrl);
+
        String ticket = ConsoleProxyServlet.genAccessTicket(cmd.getHost(), cmd.getPort(), cmd.getSid(), cmd.getVmId());
-		if(!ticket.startsWith(ticketInUrl)) {
+        if(s_logger.isDebugEnabled())
+            s_logger.debug("Console authentication. Ticket in 1 minute boundary for " + cmd.getHost() + ":" + cmd.getPort() + "-" + cmd.getVmId() + " is " + ticket);
+        
+		if(!ticket.equals(ticketInUrl)) {
 			Date now = new Date();
 			// considering of minute round-up
 			String minuteEarlyTicket = ConsoleProxyServlet.genAccessTicket(cmd.getHost(), cmd.getPort(), cmd.getSid(), cmd.getVmId(), 
 				new Date(now.getTime() - 60*1000));
-			if(!minuteEarlyTicket.startsWith(ticketInUrl)) {
+
+			if(s_logger.isDebugEnabled())
+			    s_logger.debug("Console authentication. Ticket in 2-minute boundary for " + cmd.getHost() + ":" + cmd.getPort() + "-" + cmd.getVmId() + " is " + minuteEarlyTicket);
+			
+			if(!minuteEarlyTicket.equals(ticketInUrl)) {
 				s_logger.error("Access ticket expired or has been modified. vmId: " + cmd.getVmId() + "ticket in URL: " + ticketInUrl + ", tickets to check against: " + ticket + "," + minuteEarlyTicket);
 				return new ConsoleAccessAuthenticationAnswer(cmd, false);
 			}
 		}

        if (cmd.getVmId() != null && cmd.getVmId().isEmpty()) {
-            if (s_logger.isTraceEnabled()) {
-                s_logger.trace("Invalid vm id sent from proxy(happens when proxy session has terminated)");
+            if (s_logger.isDebugEnabled()) {
+                s_logger.debug("Invalid vm id sent from proxy(happens when proxy session has terminated)");
            }
            return new ConsoleAccessAuthenticationAnswer(cmd, false);
        }
--- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
@ -34,10 +34,9 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;

+import org.apache.commons.codec.binary.Base64;
 import org.apache.log4j.Logger;

-import com.cloud.domain.dao.DomainDao;
-import com.cloud.domain.dao.DomainDaoImpl;
 import com.cloud.host.HostVO;
 import com.cloud.server.ManagementServer;
 import com.cloud.user.Account;
@ -45,8 +44,6 @@ import com.cloud.user.User;
 import com.cloud.utils.Pair;
 import com.cloud.utils.component.ComponentLocator;
 import com.cloud.utils.db.Transaction;
-import com.cloud.utils.encoding.Base64;
-import com.cloud.vm.UserVmVO;
 import com.cloud.vm.VMInstanceVO;

 /**
@ -288,7 +285,7 @@ public class ConsoleProxyServlet extends HttpServlet {
        }
 		String sid = vm.getVncPassword();
 		long tag = vm.getId();
-		String ticket = URLEncoder.encode(genAccessTicket(host, String.valueOf(portInfo.second()), sid, String.valueOf(tag)));
+		String ticket = genAccessTicket(host, String.valueOf(portInfo.second()), sid, String.valueOf(tag));
 		
 		sb.append("/getscreen?host=").append(host);
 		sb.append("&port=").append(portInfo.second());
@ -313,7 +310,7 @@ public class ConsoleProxyServlet extends HttpServlet {
        }
 		String sid = vm.getVncPassword();
 		long tag = vm.getId();
-		String ticket = URLEncoder.encode(genAccessTicket(host, String.valueOf(portInfo.second()), sid, String.valueOf(tag)));
+		String ticket = genAccessTicket(host, String.valueOf(portInfo.second()), sid, String.valueOf(tag));
 		
 		sb.append("/ajax?host=").append(host);
 		sb.append("&port=").append(portInfo.second());
@ -347,7 +344,8 @@ public class ConsoleProxyServlet extends HttpServlet {
 	        mac.update(String.valueOf(ts).getBytes());
 	        
 	        byte[] encryptedBytes = mac.doFinal();
-	        return Base64.encodeBytes(encryptedBytes);
+	        
+	        return Base64.encodeBase64URLSafeString(encryptedBytes);
 		} catch(Exception e) {
 			s_logger.error("Unexpected exception ", e);
 		}
@ -518,7 +516,7 @@ public class ConsoleProxyServlet extends HttpServlet {
            mac.init(keySpec);
            mac.update(unsignedRequest.getBytes());
            byte[] encryptedBytes = mac.doFinal();
-            String computedSignature = Base64.encodeBytes(encryptedBytes);
+            String computedSignature = com.cloud.utils.encoding.Base64.encodeBytes(encryptedBytes);
            boolean equalSig = signature.equals(computedSignature);
            if (!equalSig) {
            	s_logger.info("User signature: " + signature + " is not equaled to computed signature: " + computedSignature);